A new analysis of the National Security Agency’s covert eavesdropping operations suggests the private American company that supplies the likes of Google and Yahoo with fiber optic cables might have allowed the NSA to infiltrate those networks.

Reporters at the New York Times wrote this week that Level
3 Communications — the Colorado-based internet company that
manages online traffic for much of North America, Latin America
and Europe — is likely responsible for letting the NSA and its
British counterpart silently collect troves of sensitive data
from the biggest firms on the web.

Last month, top-secret leaked documents released to
the media by former intelligence contractor, Edward
Snowden, revealed
efforts by the NSA to intercept web traffic going between data
centers owned by big companies in an unencrypted state. A
Washington Post report from late October attributes those Snowden
leaks as saying that the NSA was receiving millions of records
every day from internal Yahoo and Google networks and
transferring that information to a facility at the agency’s Fort
Meade, Maryland headquarters - all in spite of previously leaked
documents which detailed how those companies and others had been
providing the NSA with front-door access as part of the agency’s
PRISM operation.

Nevertheless, the Post reported last month that “From
undisclosed interception points, the NSA and the GCHQ are copying
entire data flows across fiber-optic cables that carry
information among the data centers of the Silicon Valley
giants.” Data stored within those facilities is highly secure
and encrypted, but not while in transit on cables primarily owned
by Level 3.

Nearly one month later, an article published this Monday by
Nicole Perlroth and John Markoff at the Times says those
interception points could have been approved by Level 3, who owns
the cable infrastructure that the majority of America’s web
traffic travels through.

“People knowledgeable about Google and Yahoo’s
infrastructure say they believe that government spies bypassed
the big Internet companies and hit them at a weak spot — the
fiber-optic cables that connect data centers around the world
that are owned by companies like Verizon Communications, the BT
Group, the Vodafone Group and Level 3 Communications,”
Perlroth and Markoff wrote. “In particular, fingers have been
pointed at Level 3, the world’s largest so-called Internet
backbone provider, whose cables are used by Google and
Yahoo.”

“It is impossible to say for certain how the NSA managed
to get Google and Yahoo’s data without the companies’
knowledge,” the Times article continued, “But both
companies, in response to concerns over those vulnerabilities,
recently said they were now encrypting data that runs on the
cables between their data centers.”

Through the NSA’s PRISM operation first disclosed by Mr
Snowden in June, the government is alleged to have “upstream”
access to data that non-US persons send through the servers of
major internet companies, even compensating those firms in order
to ensure they’re fully compliant with the feds’ requests. When
word of a backdoor operation targeting those same PRISM-partners
was disclosed last month, Google said at the time, “We are
outraged at the lengths to which the government seems to have
gone to intercept data from our private fiber networks, and it
underscores the need for urgent reform."

If the latest analysis in the Times proves to be correct,
the lengths that the NSA and its British counterpart have gone
to wouldn't necessarily be considered all that
outrageous. In fact, those agencies could have been obtaining
access from Level 3 perhaps with just a contract.

Reached by the Times for comment, Level 3 said, “It is
our policy and our practice to comply with laws in every country
where we operate, and to provide government agencies access to
customer data only when we are compelled to do so by the laws in
the country where the data is located.”

In a financial report made by the company and obtained by
the paper, however, Level 3 is revealed to have much more of a
relationship with the government then one that just involves the
occasional compliance order. According to that report, the
company announced, “We are party to an agreement with the US
Departments of Homeland Security, Justice and Defense addressing
the US government’s national security and law enforcement
concerns. This agreement imposes significant requirements on us
related to information storage and management; traffic
management; physical, logical and network security arrangements;
personnel screening and training and other matters.”

When news of the eavesdropping operation surfaced last
month, Christopher Soghoian, a technologist at the American Civil
Liberties Union, speculated on Twitter that if Level 3 indeed
allowed the government to tap its cables, they’d likely not be
covered by the same legal protections in the Foreign Intelligence
Surveillance Act, or FISA, that let feds conduct widespread
surveillance over private companies’ data.

If Level 3 voluntarily let NSA/GCHQ tap Google's data,
the immunity available via FISA 702 orders won't apply and they
can be sued.